The General Data Protection Regulation will make it mandatory for certain organisations to designate a data protection officer. But does yours actually need one? What does the role involve? And just who can do the job? Joanne Bone, partner at Irwin Mitchell, offers a comprehensive guide to all you need to know.
The General Data Protection Regulation (GDPR) will come into force on 25 May 2018 and represents a complete overhaul of the current data protection regime. In-house counsel teams are likely to be at the forefront of advising the business on the requirements of the GDPR.
One of those requirements is the accountability principle, which requires you to demonstrate your compliance with the GDPR. Not only do you have to do the right thing but must demonstrate that you are doing it. You can demonstrate compliance by implementing a range of different measures, one of which includes appointing a data protection officer (DPO) where appropriate.
The practice of appointing a DPO is not new, and has already developed over many years in several countries (eg Germany and Sweden), but there is now a statutory obligation in the GDPR for businesses to appoint a DPO in certain circumstances.
There is a popular misconception that this obligation requires all organisations to appoint a DPO in all situations in order to be GDPR-compliant. This is not the case, and it is only a mandatory obligation in certain circumstances. You should therefore assess your collection and use of personal data to understand whether you will be required to appoint a DPO under the GDPR or not.
Who needs to appoint a DPO?
The appointment of a DPO applies to both data controllers and processors. If your organisation meets the criteria set out below, it will be required to appoint a DPO.
The GDPR requires the compulsory appointment of a DPO where:
(a) the processing is carried out by a public authority or body, or
(b) the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, or
(c) the core activities of the controller or the processor consist of processing on a large scale of sensitive personal data or personal data relating to criminal convictions and offences.
Given the lack of clarity in the above provisions, the article 29 working party (A29 WP) has adopted guidelines to explain what constitutes ‘regular and systematic monitoring’ and at what point processing can be defined as ‘large scale’.
Regular and systematic monitoring
Regular and systematic monitoring is not defined in the GDPR but according to the A29 WP, the concept of ‘regular’ includes ongoing, recurring or repeated at fixed times and the concept of ’systematic monitoring’ includes pre-arranged, organised, methodical and occurring according to a system. Examples include tracking and profiling on the internet, including for the purposes of behavioural advertising, eg profiling and scoring for the purpose of risk assessment including credit scoring or fraud protection and location tracking.
The A29 WP recommends that a number of factors are taken into consideration when determining whether processing is carried out on a ‘large scale’, which include having regard to:
- the number of individuals concerned
- the volume of data and/or the range of different data items being processed
- duration of the data processing activity and the geographical extent of the processing activity.
An example of such large-scale processing given by the A29 WP is processing of customer data in the course of business by an insurance company or bank.
Where the GDPR does not require the mandatory appointment of a DPO, you can nevertheless appoint one on a voluntary basis – this is a decision that should be considered, as there are clear benefits to a voluntary appointment. This is encouraged by the A29 WP. It will also show the Information Commissioner’s Office (ICO) and your customers that you are committed to complying with your data protection obligations. You can’t be wrong for appointing a DPO, but you can be wrong for taking the decision not to do so.
You should, however, bear in mind that if you appoint a DPO voluntarily, you must still comply with the full range of compliance obligations as if the appointment had been mandatory. You must therefore ensure that your business is able to comply with all the obligations that come with the role; if not, you should not use the title of DPO within your business and should clearly document that you have decided not to appoint a DPO and the reasons for that decision.
If you decide that having a formal DPO appointment is not necessary, it is still a good idea to have someone who is the focus of GDPR compliance within the business, and can deal with such things as subject access requests and communication from the ICO.
What does a DPO do?
The DPO’s tasks include:
- informing the business and its employees who carry out processing of their obligations under the GDPR
- monitoring compliance with the GDPR, and with the policies in place for the protection of personal data, including staff training and audits
- providing advice in relation to data protection impact assessments
- cooperating with the ICO and acting as its contact point.
Who should be appointed as a DPO?
Whilst there are currently no mandatory qualifications for who can be a DPO, there are certain requirements to follow, and you should consider carefully who should be appointed and whether they should be an employee or a consultant under a contract for services.
A key requirement for a DPO is that they have to be independent. This can rule out a number of roles internally that will be suitable. It also raises issues as to whether the external appointment of a consultant will work.
From an internal perspective, individuals who determine what personal data is collected and how it is used cannot be a DPO, because they don’t have the requisite independence. If, in a nutshell, you are ‘marking your own homework’, from a data protection perspective you are not suitable to be a DPO. According to the A29 WP, the following people cannot be a DPO:
- chief executive
- chief financial officer
- head of IT
- head of marketing department
- chief operating officer
- head of HR.
This makes it more likely that someone from in-house legal or compliance will be a popular choice.
Some businesses have expressed an interest in appointing one of their external legal advisers as DPO. Whilst this is possible, you should give the issue careful thought because there is a concern that being a law firm and acting as DPO for a client may cause conflict issues. From the point of view of DPO independence, there is an argument that if a law firm takes on the role, it may conflict them from assisting on other matters, e.g. litigation. Question marks have also been raised over the negotiation of contracts, which involve substantial data protection issues.
The other issue in relation to an external appointment is ensuring that the external lawyer is sufficiently embedded in the business to carry out the role. If you go down this route, the external firm will need to be able to demonstrate that it can monitor compliance and things such as staff training effectively.
In a nutshell, an external appointment can work you just need to give thought to how to avoid the issues raised above.
Another popular misconception about the role of DPO is that they must have legal or specialist privacy qualifications. This is not the case – mandatory qualifications have not been set. The DPO should have expertise in national and European data protection laws and a sufficient understanding of what the business does with personal data. An external appointment of an individual with data protection legal expertise would mean that this requirement is met, but does not take away from the potential conflict issue.
We would recommend that, as with other compliance issues under the GDPR, your decisions in relation to a DPO are recorded in writing. It is a good idea to have a policy in place that records what the role of the DPO is in the context of the organisation, who cannot be DPO and set out ground rules to avoid conflicts of interest.
Consequences for organisations
Breaches of the GDPR can result in fines of a maximum of €20 million or four per cent annual worldwide turnover whichever is the greater but where an organisation fails to adhere to the full range of DPO compliance obligations under the GDPR, the maximum fines it may face are up to €10 million or two per cent annual worldwide turnover, whichever is greater.
Although the appointment of a DPO may seem like a burden, it can in fact be advantageous, and there are many positives, in that the DPO facilitates compliance with data protection obligations in a centralised manner. Getting compliance right and demonstrating that you comply with the GDPR can give you a competitive advantage, enabling you to develop a relationship of trust and confidence, both internally with your employees and externally with your customers and suppliers.